11f666c58fc5598880fd624e7f864bae439c6e55a206986eda08ac3ae1a1a4f6

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a7159e744818f13a859f546ea82321c.exe
Size

184KB
MD5

2a7159e744818f13a859f546ea82321c
SHA1

28e55af149fc637fbf7f4997ec0a5a37166fda4e
SHA256

11f666c58fc5598880fd624e7f864bae439c6e55a206986eda08ac3ae1a1a4f6
SHA512

500d34e93ac13b9ac5f5947b7d0f6d8e6c231f072365a40b8f998a2de6920f0dce5df4e009b93293f0626a94c433fb741cb8ebb8a8324062fe6a27b8de15d087
SSDEEP

3072:cY2ZJm0WVXa1YqldrXAHDnP8jmvZMy1Jy3b33akhGuSahvyMjy5cI8dZLsVzg:wZE0WVXa9Z0P8jmBry3L9nsVc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2a7159e744818f13a859f546ea82321c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jjzeoh.exe

Executes dropped EXE 1 IoCs

pid	Process
1948	jjzeoh.exe

Loads dropped DLL 2 IoCs

pid	Process
1852	2a7159e744818f13a859f546ea82321c.exe
1852	2a7159e744818f13a859f546ea82321c.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /i"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /u"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /q"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /t"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /w"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /d"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /j"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /v"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /r"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /g"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /c"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /e"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /p"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /o"	2a7159e744818f13a859f546ea82321c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /n"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /x"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /s"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /h"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /k"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /l"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /o"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /b"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /m"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /f"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /z"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /a"	jjzeoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jjzeoh = "C:\\Users\\Admin\\jjzeoh.exe /y"	jjzeoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	2a7159e744818f13a859f546ea82321c.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe
1948	jjzeoh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1852	2a7159e744818f13a859f546ea82321c.exe
1948	jjzeoh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1948	1852	2a7159e744818f13a859f546ea82321c.exe	28
PID 1852 wrote to memory of 1948	1852	2a7159e744818f13a859f546ea82321c.exe	28
PID 1852 wrote to memory of 1948	1852	2a7159e744818f13a859f546ea82321c.exe	28
PID 1852 wrote to memory of 1948	1852	2a7159e744818f13a859f546ea82321c.exe	28

C:\Users\Admin\AppData\Local\Temp\2a7159e744818f13a859f546ea82321c.exe
"C:\Users\Admin\AppData\Local\Temp\2a7159e744818f13a859f546ea82321c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\jjzeoh.exe
  "C:\Users\Admin\jjzeoh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jjzeoh.exe

Filesize
92KB

MD5
0a7e759de5e0e0a6047ba4cc9d49cf65

SHA1
52c722428ce3950dbc65879aa96c6128c54bcd19

SHA256
a37c0cb95babf0f5d805657269a697f18959b0bf60608c8630cb5b29d1ca9b17

SHA512
34f6cb18c100b75d747865729573b83b388b25594d97ecdf359f8e5fa494d5e6e9f17ceec7780aa4a62558f2c02caae3e58eba556c24a403d31d1e6bbad094ce

Download Submit
\Users\Admin\jjzeoh.exe

Filesize
93KB

MD5
8ab599470ef7ee80b5f47b921cf5add4

SHA1
f73d7e5bc2423994ba3d22fd2fb1d3f71135c722

SHA256
1c43be857d2fc1c9de08ef54ea028a903c61b07302e853b78a7cce99a3bcfa64

SHA512
9ca4d01c9287879ce039797171447fda77bac5847d8be83aa21e06309f9daf68f3b5da27b376ab60c903b75ea2d43ac6891e53c5e9fbc3eab982f214ed1ca8fe

Download Submit